Pierre Delcher, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT) on the issues in battling cybercrime and a plan of what we should do to finally start winning this fight
Cybersecurity researchers, governmental bodies, independent threat hunters, private cybersec organisations – we all do our jobs not in the least to contribute to a broader mission of building a safer world. Yet, somehow, we are failing.
Cyberattacks numbers keep skyrocketing every year. Never before has cyber-crime been so loud and real, reaching every possible device, from IoT to supercomputers to smartphones. Whatever the malicious intent is – to tackle competition, spy on a partner, persecute a minority, disrupt critical infrastructure, influence electoral processes, you name it, cyber-attacks are the go-to companion. Cyber-based conflicts keep escalating and ransomware or state-sponsored cyberattacks kept hitting hard even while we were all are facing a pandemic. Overall, it does not look so good, and that is in parallel to the speedily cybersecurity industry.
Why would outstanding technical efforts, cybersecurity solutions abundance, heavily skilled workforces, and decades of awareness raising fail to tackle cyber-threats?
There are multiple reasons why. Discussing this topic with my colleagues, fellow organisations and professionals in the field, we all come to more or less the same conclusions.
Lack of concern, specialised technical knowledge, skilled resources and training they are no longer a major barrier. What mostly prevents success is the governance and sense of responsibility among many market players. Let’s break that down.
Governing willpower around?
Be it obvious or surprising to you, a high-level cooperative global willpower and governance are missing to properly tackle cyber-attacks and protect what is at stake, and as a result, hinder substantial advancement of cybersecurity on global level. While we have all agreed on human rights, decrease of nuclear-powered warheads and other international concepts, this is not yet the case for cybersecurity – and it absolutely should be. These crucial peace, freedom and resilience safeguards did not come into force by chance. They came from political willpower, international cooperation, continuously improved governance, and determined enforcement.
Existing regulations are not (global) enough
The existing regulations simply are not enough. Most of the existing initiatives and directives are non-binding and hence, not as effective nor widespread as it is needed. In fact, most of cyberattacks we face do not actually leverage sophisticated technical vulnerabilities or tools, because it is not necessary to. It is way often way too easy to get in public and private organisation’s owned devices and networks, as elementary cybersecurity measures are still not implemented, and as organisation’s very own digital assets are not clearly identified or not controlled enough. For instance, with continuous emergence and development of new technologies – from IoT to robotics and “cloud infrastructures”, regulations that enforce security by design are necessary – otherwise we will continue seeing new potential attack vectors practically handed on a plate to the threat actors. Implementation of basic cybersecurity-literacy in educational programs is necessary too.
Another factor influencing the current state of affairs is double-dealing: the same parties that may fall victims to cyberattacks, often endorse and sponsor cybercrime when it profits them. Cyberattacks appear highly profitable in the short-term, hard to attribute, unsupervised and largely unpunished, even when exposed – think of many cases when certain hackers were accused and even prosecuted but got off with a simple fine or an administrative punishment. Allowing such practices or looking over them in first place enables proliferation of cybercrime and hands the cybercriminals and threat actors the opportunity to continually improve their skills and make money to fund even more cybercrime.
Even cybersecurity-dedicated government bodies and non-state actors might also play this dangerous game. Cybersecurity threat-intelligence and data is of topmost interest to national defence and security management, as well as very valuable to the competitive cybersecurity business, which means that it is in their interest to keep it to themselves. Yet, without sharing intelligence and insights on investigations to the community for free, no global result can be achieved.
What can we do about it?
It is rather unusual for cybersecurity researchers and experts to venture to write on governance matters. Yet, here we are – sharing our concerns and proposing a common path to cybersecurity. We do not claim that further proposition is the most accurate and comprehensive and, perhaps, it is idealistic, but we are confident that by all means these propositions can bring us closer to a secure world:
A universal cooperative and global governing instrument
A dedicated, strong, permanent and focused international instrument, possibly hosted by the UN, must be created with a purpose to tackle the failure causes exposed above, and help governments to enforce regulations and cooperatively take measures when they are needed. This body should ideally guarantee a continuous dialogue with representatives for governments, the private sector, civil society and technical community and ensure that most findings are shared across nations and cybersecurity players.
The created governing instrument should also be able to build norms and regulations and rely on existing non-binding norms, and a cooperative approach to control, attribution of cyber-attacks and sanction against non-compliant behaviour or crime, risk analysis, capacity-building, and education for cybersecurity. And while this step certainly isn’t an easy one to make, we can’t forego it if we want to bring on the safer future.
An international binding treaty of responsible behaviour in cyberspace
Currently existing definition of 13 principles that constitute a norm of responsible behaviour in cyberspace adopted by the UN General Assembly in 2016 and endorsed in 2018 is followed on voluntary basis. This should change with the norms becoming binding. As far as private companies are concerned, the norm could set transparency and ethics baselines.
We could not fail to mention Kaspersky’s own Global Transparency Initiative, which we truly believe to be a good source of inspiration to set some private sector focused norms. This includes independent reviews of processes, security controls and software code, relocation of data processing, as well as the ability for trusted partners, customers and government stakeholders to directly access and check software code or threat detection rules. Code of ethics or ethics principles, from the “FIRST” international CSIRTs community or from Kaspersky, that notably tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private companies applied norm.
Global regulations and shared means for cybersecurity
In order to tackle residual double-dealing issues and regulation needs that we previously exposed in our hypotheses, the global governing instrument or guidance should build and support further common regulations, on top of the previously mentioned norms of behaviour. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyber-weapons, prevent and firmly condemn cyber-attacks, implement cybersecurity controls, foster responsibility, and facilitate cooperation. How, where, and under which terms this governing instrument or guidance can be established – should be a discussion for both state and non-state actors to ensure that we all fully recognise our responsibility to keep digital space secure.
To sum it up
Global cybersecurity state reached an insufficient ceiling, while cyber-based conflicts potential is still being filled. Meanwhile, having faced the COVID-19 pandemic, we all got to observe how information technologies and digital assets are vital to the democracy, the economy, society’s development, security and entertainment.
Some of the most pressing problems countries across the world share are global and can only be resolved with cooperation. True, it is not easy and sets us on a long path of cooperation, but it is in everybody’s interest. It is a good time for the leaders of governments, international and regional organisations, private sector, technical community and civil society to cooperatively choose the long-term peace of our cyberspace, over short-term nationalistic or private interests.
The world is digital, it is interconnected and it must be secured.